Skill permission and sandbox control

Skills that can read your calendar, send email, or access documents need clear boundaries. Permission and sandbox control define what each skill is allowed to do and what data it can see, so you run automation without handing over more access than necessary. This guide covers skill permission and sandbox control: permission models, sandboxing strategies, least privilege, and how document and PDF workflows (e.g. iReadPDF) fit into a secure setup for US professionals.

Summary Declare permissions per skill (e.g. read_calendar, send_email, read_documents). Run skills in a sandbox that limits file system, network, and API access to what the skill requested. Apply least privilege: grant only what's needed. When document handling is involved, confine PDF and doc access to a dedicated pipeline or tool so skills only receive sanitized summaries—not raw file access—unless explicitly required.

Table of Contents

• Why Permissions and Sandboxing Matter
• Declaring Permissions per Skill
• Permission Models
• Sandboxing Strategies
• Document and PDF Access Control
• Least Privilege in Practice
• Audit and Revocation
• Conclusion

Why Permissions and Sandboxing Matter

Skills from the community or from your own team can misbehave by accident or malice. A skill that only needs to "read calendar" should not send email or read every file in your home directory. Permissions make intentions explicit: "This skill requests read_calendar and read_tasks." Sandboxing enforces those limits at runtime so that even if the skill tries to do more, the runtime blocks it. For US professionals handling sensitive documents and schedules, that's the difference between controlled automation and unnecessary risk.

When document workflows are in the loop, you want to limit which skills can open raw PDFs or access full document content. Tools like iReadPDF can sit in a controlled context: the user (or a trusted pipeline) runs summarization there, and skills only receive structured output (summary, key points) unless they have explicit document-read permission.

Declaring Permissions per Skill

Each skill should declare what it needs in a machine-readable way (e.g. in a manifest or skill spec).

1. List required permissions. Examples: read_calendar, write_calendar, read_tasks, send_email, read_memory, write_memory, read_documents, read_document_summaries. Use stable permission names so the runtime and the user can understand and approve them.
2. Separate read vs write. read_calendar is less powerful than write_calendar. read_document_summaries (structured output from a pipeline) is less powerful than read_documents (raw file or full content). Declare the minimum; the runtime grants only what's approved.
3. Optional vs required. Some skills might work with reduced behavior if a permission is denied (e.g. "without read_calendar I'll skip calendar in the brief"). Document that so users can choose to deny and accept reduced functionality.

For document-heavy workflows, prefer read_document_summaries over read_documents unless the skill truly needs raw content. That keeps most skills working with iReadPDF output or cached summaries and limits raw PDF access to a small set of trusted skills.

Permission Models

Different models balance ease of use and control.

• User approval per permission. When a skill is installed or first run, the user sees "This skill requests: read_calendar, read_tasks, read_document_summaries." They approve or deny each (or all). The runtime stores the choice and enforces it. Good for transparency; can be noisy if skills request many permissions.
• Scopes or roles. Group permissions into scopes (e.g. "briefing" = read_calendar + read_tasks + read_document_summaries). User approves one scope instead of three. Simpler but coarser; ensure scope definitions match how users think about workflows.
• Tiered trust. Predefined tiers: "low" (no network, no write), "medium" (read-only APIs and document summaries), "high" (write and raw document access). User picks a tier for a skill; the runtime maps the tier to a permission set. Reduces decisions but requires clear tier definitions.

Whatever model you use, document it and make it easy to see what each skill can do. For document access, explicitly distinguish "can read document summaries produced by iReadPDF or the pipeline" from "can read raw documents."

Sandboxing Strategies

Sandboxing enforces permissions at runtime so skills cannot exceed what they were granted.

• API and resource gates. Every call to an external API (calendar, email, file system) goes through a gate that checks permission. No read_calendar → calendar API returns "permission denied" or empty. No read_documents → document service returns only summaries if the skill has read_document_summaries, or blocks entirely otherwise.
• Network and file limits. Restrict network to allowed domains (e.g. only APIs the skill declared). Restrict file system to a temp directory or a whitelisted path. That way a buggy or malicious skill can't exfiltrate data or overwrite arbitrary files.
• Execution isolation. Run skills in a separate process or container so they can't access the host's memory or other skills' data. If your stack supports it, run untrusted skills in a sandboxed environment and trusted ones with more access, and label which is which.

Document and PDF handling can be isolated too: only the designated document pipeline (e.g. iReadPDF in a browser or a trusted service) has access to raw PDFs. Skills receive only the pipeline's output (summaries, metadata) through a controlled channel, so the sandbox boundary is clear.

Document and PDF Access Control

Document and PDF data is often sensitive. Control who and what can see it.

1. Summaries vs raw content. Most workflows need summaries and key points, not full PDF text. Grant read_document_summaries to skills that need to show "what's in the doc queue" or "summarize for the brief." Reserve read_documents (or equivalent) for skills that truly need full content (e.g. search, deep analysis). iReadPDF produces summaries in a standard format; skills that only need that format should not request raw document access.
2. Pipeline as the single reader. Treat the document pipeline as the only component that opens and reads PDFs. It writes summaries and metadata to a store or memory that other skills read from. That way you have one place to audit and lock down document access.
3. Per-document or per-folder rules (optional). In stricter setups, you might restrict which documents a skill can see (e.g. only docs in "Project X" or only summaries, never raw). That requires a document store or tagging that the runtime can enforce; start with "summaries only" for most skills and expand only when needed.

Least privilege for documents means: give skills the minimum they need—usually summaries from iReadPDF or your pipeline—and protect raw content behind explicit permission and sandboxing.

Least Privilege in Practice

Apply least privilege when you design and approve skills.

• Default deny. A new skill has no permissions until the user (or policy) grants them. No "run as full user" by default.
• Narrow grants. If a skill only needs to read today's calendar, grant read_calendar with a time scope rather than "all calendar access" if your runtime supports it. For documents, grant read_document_summaries, not read_documents, unless the skill's purpose requires it.
• Review on update. When a skill updates and requests new permissions, prompt again. Don't auto-grant new permissions; let the user decide.
• Document why. In the skill's description or manifest, explain why each permission is needed. "read_document_summaries: to include doc queue and summary snippets in the morning brief." That helps users make informed choices and reviewers spot overreach.

Audit and Revocation

Visibility and revocation complete the picture.

• Audit log. Log which skill requested which permission and when it was granted or denied. Log when a skill invokes a sensitive API (e.g. send_email, read_documents) so you can review and detect abuse.
• Revocation. Users must be able to revoke a permission or disable a skill. When revoked, the runtime immediately enforces the new limits; the skill may fail or fall back to reduced behavior, which should be documented.
• Per-skill and global. Support revoking one permission for one skill ("revoke send_email for skill X") and, if needed, a global "disable all skills" or "disable all document access" for emergencies.

For document workflows, audit when raw documents or summaries are accessed and by which skill. That way you can align with compliance and user expectations, especially when iReadPDF or your pipeline feeds multiple skills.

Conclusion

Skill permission and sandbox control give you explicit boundaries: what each skill can do and what data it can see, enforced at runtime. Declare permissions per skill, use a clear permission model, and sandbox execution so skills cannot exceed their grants. For documents, prefer read_document_summaries and confine raw PDF access to a dedicated pipeline like iReadPDF, with least privilege and audit and revocation in place. For US professionals, that's how you run powerful automation without giving up control or security.

Ready to keep document access under control? Use iReadPDF for PDF summarization in a controlled flow, then grant skills only the document summary access they need so your automation stays secure and compliant.